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after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 
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Response to Amendment 

This office action is responsive to Applicant's amendment received on March 4, 
2005. Claims 1, 9, and 15 are amended. Claims 1-24 are pending. 



Response to Arguments 

Applicant's arguments filed March 4, 2005 have been fully considered but they 

are not persuasive. 

Applicant argues that Sheymov fails to disclose: first, determining whether 

program instructions have been previously cached within a dynamic execution layer 

interface, second, transforming program instructions in any way within the decoy 

machine, and third, a virus detection program. 

Examiner responds Sheymov discloses as the protected system goes through 
updates, modifications and additions, the protected system is automatically duplicated 
in the DM. Therefore the DM's configuration closely parallels that of the protected 
computer ... The substantial duplication of pertinent aspects of the protected system in 
the dynamic decoy machine can be performed during changes to the protected 
machine's operating system, applications, and files, and those changes duplicated in 
the DM, thus constantly updating the DM (i.e., Updating the DM, not only reflect 
transforming program instructions in DM, but also proves that the previous version of 
instructions have previously existed in the DM)(Page 1, Par. 0012 and Page 2, Par. 
0019). The decoy machine as presented by Sheymov simulates environmental 
parameters, applications, and operations of the protected system to detect time- 
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triggered malicious codes (i.e., viruses, worms, and etc.) and to detect attempts to 
access undesirable areas of the decoy machine (i.e., the protected system) therefore 
acts a virus detection program. Additionally, the code inspection system contains 
sensors detecting negative impact of a questionable code on the protected machine 
(Page 2, Par. 0017). 

Examiner respectfully maintains the rejection formulated on December 27, 2004 
as follows: 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

Claims 1-4 and 6-24 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Sheymov, (U.S. Publication No. 2002/0116635 and Sheymov hereinafter). 

Regarding claim 1, Sheymov discloses a method for identifying infected program 
instructions, comprising the steps of: 
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inserting a dynamic execution layer interface (DELI) between computing device 
hardware and the program instructions (i.e., Dynamic Decoy Machine and the Code 
Inspection Management Module)(Page 1, Par 0012 and Page 3, Par. 0037); 

monitoring the program instructions as they enter the DELI to determine if the 
program instructions have been previously cached within the DELI, wherein the 
determination of whether the program instructions have been cached is responsive to 
an association between native application code and or more analogues that have been 
transformed within the DELI (Page 2, Par. 0013), and when it is the case that the 
program instructions have not been previously cached within the DELI (Page 5, 0049- 
0050); and 

analyzing the program instructions to determine if the program instructions are 
infected (i.e., detecting potential malicious code prior to passing code to the protected 
system)(Page 5, Par. 0049-0060). 

Regarding claims 9, 15, and 21 , Sheymov discloses a system for detecting 
infected program instructions in active software applications, comprising: 

means for intercepting program instructions designated for execution within the 
computing device, means for transforming the program instructions (i.e., the code 
inspection system automatically updates itself, reflecting software application additions 
and deletions in the protected computer as well as changes in configurations), means 
for determining when the intercepted program instructions have not been processed by 
the computing device responsive to an association between one or more analogues 
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that have been cached within a dynamic execution layer inserted between a processor 
and program instructions (Page 2, Par. 0013 and Page 5, Par. 0049-0050); and 

means for analyzing the intercepted program instructions that have not been 
processed by the computing device prior to forwarding the intercepted program 
instructions to computer hardware (i.e., detecting potential malicious code prior to 
passing code to the protected system)(Page 5, Par. 0049-0060). 

Regarding claims 19 and 12-14, Sheymov discloses a computer system, 
comprising: 

a processor, an execution memory (i.e., the protected system)(Page 3, Par. 
0035-0037); 

a dynamic execution layer interface (DELI)(i.e., Dynamic Decoy Machine and the 
Code Inspection Management Module)(Page 1, Par 0012 and Page 3, Par. 0037) 
residing between at least one application and the processor, wherein the DELI 
comprises: a core configured to cache and execute certain application code fragments, 
an application programming interface configured to provide access to caching and 
executing functions of the core to a virus detection manager (i.e., initializing the 
dynamic decoy machine and updating it if necessary), and a system control and 
configuration layer configured to provide policies for operation of the core (i.e., actuator 
module)(Page 5, Par. 0049-0060). 
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Regarding claim 2, Sheymov discloses wherein the step of analyzing the 
program instructions comprises an investigation of the contents of instructions within 
code fragments (Page 5, Par. 0050-0054). 

Regarding claim 3, Sheymov discloses wherein the step of analyzing the 
program instructions comprises inserting decrypted program instructions into a virus 
detection manager (Page 3, Par. 0032-0034). 

Regarding claims 4, 18, 22, and 24, Sheymov discloses further comprising the 
step of: 

releasing program instructions from the virus detection manager when infected 
program instructions are not detected (Page 5, Par. 0055-0056). 

Regarding claim 6, Sheymov discloses wherein the step of analyzing the 
program instructions comprises monitoring the behavior of the contents of the code 
fragments in a virtual computing device (Page 3, Par. 0036-0037). 

Regarding claims 7 and 20, Sheymov discloses wherein the step of analyzing the 
program instructions comprises applying a plurality of tests on the contents of the code 
fragments in a virtual computing device (Page 3, Par. 0036-0037). 

Regarding claim 8, Sheymov discloses further comprising the step of: 
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processing the released program instructions in computer hardware (Page 5, 
Par. 0055-0056). 

Regarding claims 10-1 1 and 16-17, Sheymov discloses further comprising: 
means for gaining control over execution of program instructions (Page 5, Par. 
0049-0056). 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claim 5 is rejected under 35 U.S.C. 103(a) as being unpatentable over Sheymov, 
(U.S. Publication No. 2002/0116635 and Sheymov hereinafter), in view of Hypponen et 
al., (U.S. Patent No. 6,577,920 and Hypponen hereinafter). 

Regarding claim 5, Sheymov does not expressly disclose wherein the step of 
analyzing the program instructions comprises performing a signature comparison with 
the contents of the code fragments. 

However, Hypponen discloses wherein the step of analyzing the program 
instructions comprises performing a signature comparison with the contents of the 
code fragments (Col. 4, lines 36-67 and Col. 5, lines 1-67). 
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Therefore, it would have been obvious to a person of ordinary skill in the art at 
the time of applicant's invention to modify the teachings of Sheymov with the teachings 
of Hypponen because it would allow to include the step of analyzing the program 
instructions comprises performing a signature comparison with the contents of the 
code fragments with the motivation to scan data being written to or read from a 
computer's hard disk drive for the presence of macros having a checksum 
corresponding to one of the identified viruses (Hypponen, Col. 2, lines 1-5). 

Conclusion 

The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

Nachenberg, (U.S. Patent No. 5,964,889), 

Nachenberg, (U.S. Patent No. 5,826,013), 

Schnurer et al. (U.S. Patent No. 5,842,002), 

Arnold et al., (U.S. Patent No. 5,440,723), 

Rogers et al., (U.S. Publication No. 2002/0083334), and 

Natvig, (U.S. Publication No. 2003/0135791). 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing daie of this final action and the advisory action is not 
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mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Arezoo Sherkat whose telephone number is (571 ) 272- 
3796. The examiner can normally be reached on 8:00-4:30 Monday-Friday. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on (571 ) 272-3795. The fax phone number for 
the organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 





Arezoo Sherkat 
Patent Examiner 
Group 2131 
Mav 18. 2005 



